A bad SSH certificate authority

Related tags

Authentication sshca
Overview

⚠️ Do NOT use this unless you understand what you are doing. See below for why. I wrote this for my personal use and provide no support.


sshca

This is a small Rust program to use an asymmetric RSA key from AWS KMS as a single-user SSH certificate authority.

Installation

Requires AWS CLI on your $PATH.

cargo install --git https://github.com/iliana/sshca

Set up an environment file at ~/.config/sshca/env, which should define SSHCA_KEY_ID with the KMS key ID. You can set other environment variables, which may assist with coercing the AWS CLI to find correct credentials.

Usage

  • sshca pubkey: Outputs the public CA signing key in a form usable by ~/.ssh/authorized_keys.
  • sshca sign: Signs ~/.ssh/id_ed25519.pub with the CA signing key, writing the certificate to ~/.ssh/id_ed25519-cert.pub.

sshca is licensed under the WTFPL.

Thoughts

I prefer to avoid copying SSH keys between machines; in the past I used the PGP applet on YubiKeys with an authentication subkey and the GnuPG SSH agent, and had a handful of YubiKeys with my PGP key burned into them. I've since made the healthy decision to eliminate PGP from my life as much as possible, but still wanted a system where a single ~/.ssh/authorized_keys entry could authenticate me to nearly all systems without copying keys around. Thus, a basic CA.

This is not a multi-user SSH CA. In my setup, I have a separate AWS account that stores the key for my SSH CA, accessible solely by me via AWS SSO with two-factor authentication. Anybody with access to the signing key can sign anything they like, including SSH certificates for indefinite periods of time. A multi-user SSH CA requires application code to validate a user's request before signing a key.

Instead of using an AWS SDK, I opted to shell out to the AWS CLI, mainly to have support for complicated credential providers (e.g. AWS SSO, source profiles).

Crates I used for the first time:

  • sshcerts is lovely, but could use additional example documentation. It was difficult to get going at first.
  • cmd_lib has incredible macros for running shell commands without a shell and I strongly recommend it; I wish it were more flexible for displaying stderr without a logger set up.

Parsing RSA keys out of SubjectPublicKeyInfo DER documents in Rust remains a total pain in the ass. This is about the fourth time I've had to do this.

You might also like...
Fls - Ferris-LS, a very bad LS replacement. Besides that, proves that I suck at clean & good code.

FLS A handy ls remake, purely for learning. Why FLS? There's no reason, at all, don't use it. I just want to learn Rust :D Usage Flags: -i = Use icons

Bad Apple!! music video on WASM-4

w4-bad-apple Bad Apple!! music video on the WASM-4 fantasy console. Building First, you need to create a frames directory containing an image for each

Scuffed UEFI video(bad apple) player

Bad UEFI Another day, another Bad Apple project. Video and audio are loaded from \video.uefiv and \audio.uefia respectively. (when running in QEMU esp

Algebraic structures, higher-kinded types and other category theory bad ideas

Algar Algebric structures, higher-kinded types and other category theory bad ideas. Yes, you'll have generalized functors, applicatives, monads, trave

Boxxy puts bad Linux applications in a box with only their files.

boxxy is a tool for boxing up misbehaving Linux applications and forcing them to put their files and directories in the right place, without symlinks!

*slaps roof of [programming language]* this bad boy can fit so much [syntax sugar] into it

An attempt to give myself a new Pareto-optimal choice for quick-and-dirty scripts, particularly when I'm not on a dev computer, and to practice writin

BadDown is a simplistic and bad markup language inspired by Markdown.

BadDown BadDown is a simplistic and bad markup language inspired by Markdown. Features Simplicity: BadDown keeps it simple, with minimal syntax to cre

Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code...

tosh Imagine your SSH server only listens on an IPv6 address, and where the last 6 digits are changing every 30 seconds as a TOTP code... Inspired fro

Use Touch ID / Secure Enclave for SSH Authentication!
Use Touch ID / Secure Enclave for SSH Authentication!

SeKey About SeKey is a SSH Agent that allow users to authenticate to UNIX/Linux SSH servers using the Secure Enclave How it Works? The Secure Enclave

use your GitHub SSH keys to authenticate to sshd
use your GitHub SSH keys to authenticate to sshd

aeneid If you squint, GitHub is basically a free, zero-ops IdP that provides SSH public keys. Let's use it to authenticate to OpenSSH! What / How? The

A small CLI wrapper for authenticating with SSH keys from Hashicorp Vault
A small CLI wrapper for authenticating with SSH keys from Hashicorp Vault

vaultssh A small CLI wrapper for authenticating with SSH keys from Hashicorp Vault vaultssh is a small CLI wrapper for automatically fetching and usin

Multi-threaded CLI torrent scraper for displaying searched for magnet links; tailored for use with plex & ssh.
Multi-threaded CLI torrent scraper for displaying searched for magnet links; tailored for use with plex & ssh.

magnetfinder Multi-threaded CLI torrent aggregator; scrapes torrent results from multiple websites and delivers them into a table in your terminal! Su

🦴🖥️ // An ssh manager

🦴 🖥️ ssh-man ssh-man is an SSH manager. I often forget the credentials and IPs to servers I frequently SSH into so Im making ssh-man to help me reme

pam-send-slack-message is a program that publishes messages on slack when a linux server is accessed through ssh.

pam-send-slack-message pam-send-slack-message is a program that publishes messages on slack when the linux server is accessed through ssh. Installatio

1 library and 2 binary crates to run SSH/SCP commands on a
1 library and 2 binary crates to run SSH/SCP commands on a "mass" of hosts in parallel

massh 1 library and 2 binary crates to run SSH/SCP commands on a "mass" of hosts in parallel. The binary crates are CLI and GUI "frontends" for the li

Akamai Krypton CLI and SSH Agent (v2)
Akamai Krypton CLI and SSH Agent (v2)

Akamai "Krypton" FIDO2 SSH Agent and CLI The akr command line utility is Akamai's "Krypton" SSH Agent, the successor to kr which works exclusively wit

Multi-threaded CLI torrent scraper for displaying searched for magnet links; tailored for use with plex & ssh.
Multi-threaded CLI torrent scraper for displaying searched for magnet links; tailored for use with plex & ssh.

magnetfinder Multi-threaded CLI torrent aggregator; scrapes torrent results from multiple websites and delivers them into a table in your terminal! Su

FastSSH is a TUI that allows you to quickly connect to your services by navigating through your SSH config.
FastSSH is a TUI that allows you to quickly connect to your services by navigating through your SSH config.

Connect quickly to your services 🚀 FastSSH is a TUI that allows you to quickly connect to your services by navigating through your SSH config. Instal

Retrieving SSH and GPS keys from GitHub and GitLab

Dormarch Retrieving SSH and GPS keys from GitHub and GitLab Usage After having installed Dormarch, you can see all the options with dormarch -h. To re

Owner
iliana etaoin
banned by github for e crimes ~ she/her
iliana etaoin
ssh-box: use ssh keys to encrypt files

ssh-box: use ssh keys to encrypt files work in progress ssh-box file format A file encrypted by ssh-box is an ASCII-armored binary file. The binary co

Tony Finch 3 Jun 27, 2022
WebPKI X.509 Certificate Validation in Rust

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABIL

Brian Smith 408 Dec 16, 2022
Rust TLS/SSL certificate expiration date from command-line checker

Rust TLS/SSL certificate expiration date from command-line checker

Jose Bovet Derpich 9 Nov 9, 2022
cert_installer - a utility that adds a CA certificate to Android's System Trust Store

cert_installer is a utility that adds a CA certificate to Android's System Trust Store by overwriting the /system/etc/security/cacerts directory with a tmpfs mount. Changes made to the System Trust Store is not persistant across reboots.

Terry Chia 5 Apr 11, 2022
An implementation of the append-only log described in the Certificate Transparency specification (RFC 6962)

CT Merkle This is an implementation of the append-only log described in the Certificate Transparency specification (RFC 6962). The log is a Merkle tre

Michael Rosenberg 30 Dec 2, 2022
A certificate verification library for rustls that uses the operating system's verifier

rustls-platform-verifier A Rust library to verify the validity of TLS certificates based on the operating system's certificate facilities. On operatin

null 17 Dec 26, 2022
A certificate verification library for rustls that uses the operating system's verifier

rustls-platform-verifier A Rust library to verify the validity of TLS certificates based on the operating system's certificate facilities. On operatin

null 13 Nov 6, 2022
Simple Secure Static (HTTPS) File Server with embedded certificate

Secure Static File Server Static Files HTTPs server with self signed embedded certificate Installation Install using cargo: cargo install ssfs Or buil

0xor0ne 21 Apr 20, 2023
👁️ See through bad bots trying to lie about their user agents

Odd Eye Detect bad bots trying to disguise themselves as humans. Features HTTP2 connection fingerprints TLS signatures Canvas fingerprints How it work

Xetera 31 Dec 14, 2022
Bad Apple!! for the Uxn stack-machine

bad-apple-uxn Bad Apple!! for the Uxn stack-machine by Hundred Rabbits. Quick start cargo run --release -- --input assets/badapple.mp4 --output badapp

Karol Belina 14 Nov 10, 2022